Lynis 2.3.2 - Security Auditing Tool for Unix/Linux Systems

We are excited to announce this major release of auditing tool Lynis. Several big
changes have been made to core functions of Lynis. These changes are the next of
simplification improvements we made. There is a risk of breaking your existing
configuration.

Lynis is an open source security auditing tool. Used by system
administrators, security professionals, and auditors, to evaluate the
security defenses of their Linux and UNIX-based
systems. It runs on the host itself, so it performs more extensive
security scans than vulnerability scanners.

Supported operating systems

The tool has almost no dependencies, therefore it runs on almost all Unix based systems and versions, including:

AIX

FreeBSD

HP-UX

Linux

Mac OS

NetBSD

OpenBSD

Solaris

and others

It even runs on systems like the Raspberry Pi and several storage devices!

Installation optional

Lynis is light-weight and easy to use. Installation is optional:
just copy it to a system, and use "./lynis audit system" to start the
security scan.
It is written in shell script and released as open source software (GPL).

How it works

Lynis performs hundreds of individual tests, to determine the
security state of the system. The security scan itself consists of
performing a set of steps, from initialization the program, up to the
report.

Steps

Determine operating system

Search for available tools and utilities

Check for Lynis update

Run tests from enabled plugins

Run security tests per category

Report status of security scan

Besides the data displayed on screen, all technical details about the scan are stored in a log file. Any findings (warnings, suggestions, data collection) are stored in a report file.

Opportunistic scanning

Lynis scanning is opportunistic: it uses what it can find.

For example if it sees you are running Apache, it will perform an
initial round of Apache related tests. When during the Apache scan it
also discovers a SSL/TLS configuration,
it will perform additional auditing steps on that. While doing that,
it then will collect discovered certificates, so they can be scanned
later as well.

In-depth security scans

By performing opportunistic scanning, the tool can run with almost
no dependencies. The more it finds, the deeper the audit will be. In
other words, Lynis will always perform scans which are customized to
your system. No audit will be the same!

Use cases

Since Lynis is flexible, it is used for several different purposes. Typical use cases for Lynis include:

Security auditing

Compliance testing (e.g. PCI, HIPAA, SOx)

Vulnerability detection and scanning

System hardening

Resources used for testing

Many other tools use the same data files for performing tests.
Since Lynis is not limited to a few common Linux distributions, it uses
tests from standards and many custom ones not found
in any other tool.

Best practices

CIS

NIST

NSA

OpenSCAP data

Vendor guides and recommendations (e.g. Debian Gentoo, Red Hat)

Lynis Plugins

lugins enable the tool to perform additional tests. They can be seen as an extension (or add-on) to Lynis, enhancing its functionality. One example is the compliance checking plugin, which performs specific tests only applicable to some standard.

Changelog

Categories and Groups

Tests are now grouped by their focus area and named 'groups' accordingly.
Besides groups, each test will belong to a category (performance, privacy, or
security).
Commands: lynis show categories, lynis show groups
Options: --tests-from-category, --tests-from-group
Note: You might need to change your scripts if you previously defined the group
of tests to scan.
Development
A new 'strict' option is available in the profiles and by default enabled for
the initialization phases of Lynis. It will perform a strict code check for the
tests, to detect any uninitialized variables, improving code quality.

Helpers

With 'lynis update check' you can now check for updates. This is the preferred
new method.
The command 'lynis show changelog' allows reviewing the changes. Optionally a
release can be specified as additional argument.

Languages

Initial translation for German has been contributed by Kai Raven. The Italian
translation by Stefano Marty (stefanomarty). Hungarian translation by Zoltan
Paldi (paldiz)

Profiles

Parsing of the profiles has been improved, which prevented some settings from
overriding default settings.

Tests

AUTH-9212 - Added prerequisite to log

AUTH-9216 - Simplified test and make it more efficient

AUTH-9218 - Clean ups and improve readability

AUTH-9226 - Style, text, and removed warning

AUTH-9228 - Provide just a suggestion instead of warning

AUTH-9268 - Improve test for readability

AUTH-9328 - Test /etc/profile.d for umask setting

AUTH-9406 - Readability and code style changes

CONT-8102 - Determine if all Docker tests should be performed

DBS-1880 - Initial support for Redis server

HTTP-6720 - Readability improvement of test

KRNL-5830 - Readability and style improvements, ignore rescue images

MAIL-8818 - Style and refactoring

PHP-2211 - Readability improvement and code style changes

PHP-2374 - Changed text and cleanups

PHP-2376 - Log result to log file instead of report

PKGS-7383 - Simplified test

PKGS-7388 - Style and readability improvements

TIME-3106 - Corrected string to test for status

TOOL-5102 - Split of fail2ban tests

TOOL-5104 - Test for enabled fail2ban jails

Languages

Translation of Spanish (es) added
Proper display of text strings when accented characters are used
More text strings added

General

Added bold and header as new colors

Changed header and footer of screen output

Allow atomic tests to be skipped (e.g. SSH-7408)

Extended tests database with category (lynis show tests)

By default Lynis will now run in 'quick mode' and not break after each
section. You can get this behavior by adding the --wait option.

Functions

RemoveColors - New test to clear colors

DisplayError - Display error on screen in uniform format and colors
Use an optional exit code to quit the program

SkipAtomicTest - This function is now properly working with lowercase strings